Open source software security

Drupal Workflow 6.x-1.1 and 5.x-2.3 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Workflow module (http://drupal.org/project/workflow) "allows the creation and assignment of arbitrary workflows to Drupal node types. Workflows are made up of workflow states. For example, a workflow with the states Draft, Review, and Published could be assigned to the Story node type."

The Workflow module versions 6.x-1.1 and 5.x-2.3 contain a cross site scripting vulnerability.

Systems affected:

Drupal 6.14 with Workflow 6.x-1.1 and Drupal 5.20 with Workflow 5.x-2.3 were tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Workflow module must be installed. To carry out a Workflow based XSS exploit the attacker must have 'administer workflow' or 'administer content types' or 'administer users' permissions.

Proof of Concept:

1. Install Drupal 6.14
2. Install Workflow 6.x-1.1
3. Enable the Workflow module from Administer -> Site building -> Modules
4. Click Administer -> Site building -> Workflow
5. Click 'Add workflow'
6. Enter "<script>alert('xss');</script>" in the 'Workflow Name:' textbox and click 'Add workflow
7. Enter "<script>alert('state xss');</script> in the 'State name' on the resulting screen and click 'Save'
8. On the resulting screen (Administer -> Site building -> Workflow) the workflows are listed and the JavaScript is rendered producing alerts for workflow names, state names, and content type names.
9. Click 'Edit' next to any workflow name to view JavaScript rendered as a result of any malicious role name.

Technical details:

The Workflow module fails to sanitize the output of the Workflow name, state name, role names, and content type names before display. Applying the following patch fixes this vulnerability.

Patch for Workflow 6.x-1.1

Applying the following patch mitigates these threats in Workflow 6.x-1.1.